Re: AW: Database file structure
Thank you Bernhard/ Ted (?), that is exactly what I was looking for. For everyone who wants to know the time format: start reading Bernhards link from behind. Best regards Dominic Bernhard Froehlich wrote: Have a look at http://www.mail-archive.com/openssl-users@openssl.org/msg45982.html Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 -- View this message in context: http://www.nabble.com/Database-file-structure-tf3810867.html#a10814776 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Generating a smime certificate
Hi All, I have been trying for some time now to generate a smime certificate that works in Kmail. Unfortunately, when I import it it shows some kind of error with certain extensions: = keyType: 4096 bit RSA subjKeyId: [?] authKeyId: [?] keyUsage: [error: No value] extKeyUsage: [none] policies: [none] chainLength: [error: No value] crlDP: [error] authInfo: [error] subjInfo: [error] = As a result of the above I cannot set it to be used with the respective email account in Kmail (I suspect that this is because of the keyUsage error). gpgsm -k shows: key usage: [error: No value] chain length: [error: No value] When I look at the certificate that I used to generate the pkcs12 bundle, I see this: = No Trusted Uses. No Rejected Uses. Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No = Is keyUsage and -purpose two different things? Firefox does not seem to have a problem with this pkcs12 file and it recognises all the 'use' flags. I am at a loss as to why this happens. Can you please suggest ways for troubleshooting it? -- Regards, Mick pgpHhANzYl8Ca.pgp Description: PGP signature
Re: Generating a smime certificate
Hello, Some mail systems (eg Lotus Notes) requires proper extensions in certificates. Certificates without this extensions are not treated as candidates for signing/encryption. With default configuration OpenSSL certificates are created without extensions for signing and encryption. To change this remove comment from line: keyUsage = nonRepudiation, digitalSignature, keyEncipherment from proper section of openssl.cnf file and generate new certificate and check if this works. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating a smime certificate
On Saturday 26 May 2007 19:55, Marek Marcola wrote: Hello, Some mail systems (eg Lotus Notes) requires proper extensions in certificates. Certificates without this extensions are not treated as candidates for signing/encryption. With default configuration OpenSSL certificates are created without extensions for signing and encryption. To change this remove comment from line: keyUsage = nonRepudiation, digitalSignature, keyEncipherment from proper section of openssl.cnf file and generate new certificate and check if this works. Thanks Marek, I uncommented the line from the section [ usr_cert ] and also checked that the same line was uncommented under the section [ v3_req ]. However, I am getting the same error. :( This is so frustrating. Anything else I could check? -- Regards, Mick pgptfliThZJR9.pgp Description: PGP signature
Re: Generating a smime certificate
Hello, On Saturday 26 May 2007 19:55, Marek Marcola wrote: Hello, Some mail systems (eg Lotus Notes) requires proper extensions in certificates. Certificates without this extensions are not treated as candidates for signing/encryption. With default configuration OpenSSL certificates are created without extensions for signing and encryption. To change this remove comment from line: keyUsage = nonRepudiation, digitalSignature, keyEncipherment from proper section of openssl.cnf file and generate new certificate and check if this works. Thanks Marek, I uncommented the line from the section [ usr_cert ] and also checked that the same line was uncommented under the section [ v3_req ]. However, I am getting the same error. :( This is so frustrating. Anything else I could check? Check that you really have proper extensions in certificate: $ openssl x509 -in cert.pem -text -noout . . X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment . . Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating a smime certificate
On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: $ openssl x509 -in cert.pem -text -noout . . X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment . Perhaps a mini-ca will help. See ca.sh, cert.sh and openssl.cnf used as follows: $ ./ca.sh rsa 2048 Generating RSA private key, 2048 bit long modulus .+++ +++ e is 65537 (0x10001) Using configuration from ca.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'New York' localityName :PRINTABLE:'New York' organizationName :PRINTABLE:'Example Corp' commonName:PRINTABLE:'Insecure CA' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until May 26 20:22:33 2017 GMT (3653 days) Write out database with 1 new entries Data Base Updated $ ./cert.sh rsa 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) Using configuration from ca.cnf DEBUG[load_index]: unique_subject = no Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'New York' localityName :PRINTABLE:'New York' organizationName :PRINTABLE:'Example Corp' organizationalUnitName:PRINTABLE:'Marketing Department' commonName:PRINTABLE:'mktg.example.com' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until May 25 20:22:59 2008 GMT (365 days) Write out database with 1 new entries Data Base Updated To tweak the subject names, ... of the CA and issued cert, edit the names at the top of openssl.cnf: [ cert_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp organizationalUnitName = Marketing Department commonName = mktg.example.com emailAddress= [EMAIL PROTECTED] [ ca_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp commonName = Insecure CA emailAddress= [EMAIL PROTECTED] the rest should not need tweaks. The cert in myCA/rsacert.pem looks like this: ... X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Key Identifier: B1:54:85:D9:40:45:30:E1:E2:2C:9B:D8:BC:A8:93:EE:61:B8:19:A5 X509v3 Authority Key Identifier: keyid:36:95:DB:50:85:3A:2F:1E:A8:34:EB:ED:C2:C6:34:F9:4B:38:28:8 E DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure CA/[EMAIL PROTECTED] serial:EE:05:5D:8D:9F:D7:56:72 ... -- Viktor. ca.sh Description: Bourne shell script cert.sh Description: Bourne shell script newkey.sh Description: Bourne shell script [ cert_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp organizationalUnitName = Marketing Department commonName = mktg.example.com emailAddress= [EMAIL PROTECTED] [ ca_distinguished_name ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp commonName = Insecure CA emailAddress= [EMAIL PROTECTED] [ ca ] default_ca = req # The default ca section [ policy_match ] countryName = match stateOrProvinceName = match localityName= match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional [ ca_cert ] basicConstraints= critical,CA:true subjectKeyIdentifier= hash # this first authorityKeyIdentifier = keyid:always, issuer:always # and now this [ usr_cert ] basicConstraints= critical,CA:false keyUsage= digitalSignature, keyEncipherment extendedKeyUsage= serverAuth, clientAuth
Re: Generating a smime certificate
On Saturday 26 May 2007 21:11, Marek Marcola wrote: Check that you really have proper extensions in certificate: $ openssl x509 -in cert.pem -text -noout . . X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment . . OK, I don't have any X509v3 extensions! Would these be created by default? I haven't really altered my default openssl.cnf to any extent and definitely not commented out any parts of it. -- Regards, Mick pgpyDWY6k97wC.pgp Description: PGP signature
Re: Generating a smime certificate
On Saturday 26 May 2007 21:38, Victor Duchovni wrote:
On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote:
$ openssl x509 -in cert.pem -text -noout
.
.
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
.
Perhaps a mini-ca will help. See ca.sh, cert.sh and openssl.cnf
used as follows:
[snip]
Thanks Victor,
Can you see anything amiss with my attached openssl.cnf?
--
Regards,
Mick
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the -extfile option of the
# openssl x509 utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir = .
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the traditional
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK: a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
Newbie build question
Hi, This is a newbie question: I downloaded the openssl source and built libssl and libcrypto with the linux-debug-elf option. I removed the efence library from the make file since I don't have it. Now when I link the two libs with my app, I get a whole bunch of links errors like: /usr/lib/libssl.so: undefined reference to `BIO_puts@@OPENSSL_0.9.8' /usr/lib/libssl.so: undefined reference to `X509_VERIFY_PARAM_free@@OPENSSL_0.9.8' What am I doing wrong? I'd appreciate any help. - Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
Re: Newbie build question
Please ignore. My silly mistake. Got it to build. Sumati Gupta [EMAIL PROTECTED] wrote: Hi, This is a newbie question: I downloaded the openssl source and built libssl and libcrypto with the linux-debug-elf option. I removed the efence library from the make file since I don't have it. Now when I link the two libs with my app, I get a whole bunch of links errors like: /usr/lib/libssl.so: undefined reference to `BIO_puts@@OPENSSL_0.9.8' /usr/lib/libssl.so: undefined reference to `X509_VERIFY_PARAM_free@@OPENSSL_0.9.8' What am I doing wrong? I'd appreciate any help. - Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. - Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool.
Re: Generating a smime certificate
On Sun, May 27, 2007 at 12:13:38AM +0100, Mick wrote: On Saturday 26 May 2007 21:38, Victor Duchovni wrote: On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote: $ openssl x509 -in cert.pem -text -noout . . X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment . Perhaps a mini-ca will help. See ca.sh, cert.sh and openssl.cnf used as follows: [snip] Thanks Victor, Can you see anything amiss with my attached openssl.cnf? Sorry, for me openssl.cnf is a write-only interface... Perhaps someone else can help you. I find the files easier to write than read. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
